Feds: Chinese Traders Busted, Trading on Info “Hacked” from Law Firms via Email Compromise

A warning for law firms:

Preet Bharara, the U.S. Attorney for the Southern District of New York, said the case should serve as a “wake-up call for law firms around the world.”

“You are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” Bharara said in a statement.

But here is the most important point to remember, from the DOJ statement, demonstrating that this entire “hack” was a result of compromised email credentials – not the James Bond kind of stuff people like to think about. There were two law firms “hacked” and both started with compromised employee email credentials:

“[B]eginning about July 2014, the Defendants, without authorization, caused one of Law Firm-1’s web servers (the “Law Firm-1 Web Server”) to be accessed by using the unlawfully obtained credentials of a Law Firm-1 employee. The Defendants then caused malware to be installed on the Law Firm-1 Web Server. The access to the Law Firm-1 Web Server allowed unauthorized access to at least one of Law Firm-1’s email servers (the “Law Firm-1 Email Server”), which contained the emails of Law Firm-1 employees, including Partner-1.””

“[T]he Defendants, without authorization, caused one of Law Firm-2’s web servers (the “Law Firm-2 Web Server”), located in New York, New York, to be accessed by using the unlawfully obtained credentials of a Law Firm-2 employee. The Defendants then caused malware to be installed on the Law Firm-2 Web Server.”


A Cybersecurity Night Before Christmas

clarkMy friend Paul Ferrillo (@PaulFerrillo) shared a cybersecurity version of the Night Before Christmas that I thought was brilliant. Wanting to be sure and properly credit this fine work, I asked Paul about attribution … since we can never be too confident in attribution, after all, yet it is critically important. Paul then confessed that it was not his original work but that of his AI poem-bot which, to me, is even more remarkable.

Here is Paul’s AI poem-bot’s version of the Cybersecurity Night Before Christmas:

‘Twas the night before Christmas, when all through the house
not a creature was stirring, except for Fancy Bear.
The computers were humming by the chimney with care,
exfiltrating data that soon would be not there.
The incident response staff were nestled all snug in their beds,
while visions of sleep filled night danced in their heads.
When out of the SIEM there arose such a clatter,
I sprang from my bed to see what was the matter.
And I said Darn, I wished I had installed that machine learning solution I heard about at RSA.
Happy Holidays to all!

Here is our conversation with the original post so if you enjoyed it, hop on over and let Paul know with your comments: www.linkedin.com/hp/update/6218155148829552640

Merry Christmas, friends, and a very Happy New Year!

p.s., if you want to know some of Paul’s thoughts on how to have more effective cybersecurity, without working really hard like Clark Griswold and washing machines, check out our article 7 Strategies to Win the Cyber “Space Race” and the discussion of using AI and machine learning.


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Top 3 CFAA Takeaways from Facebook v. Power Ventures Case in Ninth Circuit

Here are my top 3 key Computer Fraud and Abuse Act (CFAA) takeaways from the Ninth Circuit Court of Appeals’ Order and Amended Opinion issued on December 9, 2016 in Facebook, Inc. v. Power Ventures, Inc.

1.  A violation of the CFAA can occur when someone “has no permission to access a computer or when such permission has been revoked explicitly.”

First, a defendant can run afoul of the CFAA when he or she has no permission to
access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.

*   *   *

The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. . . . Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.”

*   *   *

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute. (Opinion, p. 15-19).

2.  “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.” (Opinion, p. 15-16).

The foregoing statement was followed with this footnote:

One can imagine situations in which those two principles might be in tension–situations in which, for example, an automatic boilerplate revocation follows a violation of a website’s terms of use–but we need not address or resolve such questions on the stark facts before us.”

One of the most fundamental principles of law is that people be afforded notice of situations placing them in legal jeopardy. Over and over, the Court emphasizes that Power Ventures received actual notice and was subjectively aware that Facebook revoked its authorization to access the site. In looking at how courts handle “browse wrap” versus “click wrap” online agreements, they consistently look for some objective manifestation that the user was subjectively aware of the existence of the agreement and subjectively assented to it — whether actually reading it or understanding it or not.

In future terms of use cases claiming violations of the CFAA, it is likely that the courts will look to see if there was a manifestation of actual notice of the restrictions, prior to the restricted act, which was then consciously disregarded by engaging in the restricted act.

3.  Employee time spent investigating and responding to an incident can be used to calculate the $5,000 “Loss” that is a prerequisite for a civil CFAA claim.

First, we hold that Facebook suffered a loss within the meaning of the CFAA. The statute permits a private right of action when a party has suffered a loss of at least $5,000 during a one-year period. Id. § 1030(c)(4)(A)(i)(I). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power’s
actions. Accordingly, Facebook suffered a loss under the CFAA. (Opinion, p. 13-14).

Is Key Claim Missing from Pastor’s Lawsuit Over Wife’s Nude Pics Emailed to Swinger Site?

Should a claim for [YOU GUESS] have been included in this lawsuit? See my thoughts below and share your thoughts.

The Allegations Behind the Lawsuit

A legal team led by Gloria Allred made news by suing Toyota (and others) on behalf of a Frisco, Texas pastor and his wife, Tim  and Claire Gautreaux, alleging that a Toyota salesman emailed nude pictures of Claire to a swingers’ website from Tim’s phone while in his possession to confirm a preapproval offer that was on an app. Continue reading “Is Key Claim Missing from Pastor’s Lawsuit Over Wife’s Nude Pics Emailed to Swinger Site?”